Hello, hello, hello, hello, hello, hello, wow, it works, good, you guys ready to JTagulate?
We're going to have a group JTagulating session, you guys bring all your JTagulation stuff,
Kleenex and stuff, good, okay, I did, I'm ready.
My name is Joe Grand, I am an electrical engineer and a hardware hacker and, yeah, I guess I've
been on TV a long time ago, not rich and famous, just famous, yeah, right, okay, so we're going
to talk about JTagulator, JTagulator is a device I just put together, fully open source
device that will let you hook up to, up to 24 unknown test points on a circuit board
and, and, and, and, and, and, and, and, and, and, and, and, and, and, and, and, and, and,
and it will detect if there's any sort of JTag interface, which is an on-chip debug interface,
or also UART interfaces, so things like root shell, serial debug ports, whatever.
So I'm going to go through sort of an introduction about the design, the process, JTag, how JTag
works, how UART works, and then, of course, give you demos of all of this stuff.
So on-chip debug interfaces are basically like the Achilles heel of embedded systems these
days.
So there's so many people getting involved in hardware, and you got, you got guys like
Charlie Miller and Chris Valasek hacking cars, those are traditionally software guys, you
have lots of other people starting to look at, at embedded systems and hardware that
don't come from that space, right, so it's really, it's gotten to this point, and on-chip
debug interfaces are one of those ways that you can totally just own systems, pretty much
if you find the interface, you can win a lot of times.
So it's a well-known attack vector, the problem is being able to, you know, you can't, you
know, find those interfaces.
And the one thing that we can always take advantage of is that vendors and manufacturers
and engineers need to use these debug interfaces to actually design their product and to test
their product, and during manufacturing, they would do final system tests.
So it's an interface that's used, vendors know that it's a potential problem, but they
normally don't do anything about it, right, so we can take advantage of all of that.
So the goal for the project is just to create a tool that will get people interested in
hacking devices in hardware.
Hardware hacking, especially for non-hardware folks that don't have the equipment or the
time to have to manually go through everything and remove chips and all of that crap.
It's just to get it done, get it done right, find the interface, and then start hacking.
As with anything, you're sort of building on other work, and this is no exception.
I first had seen some work about JTAG finding with Hunz's JTAG finder, which was basically
like a proof of concept from 2006.
Proved that it was possible to brute force or enumerate through all the different permutations
of different test points for JTAG.
That was pretty cool.
He did it on like some sort of Atmel development board, but that's as far as he went with it.
The next thing I saw after seeing that, I'm like, okay, so there is some work out there.
Saw JTAG Enum by Dead Hacker and also RS-232 Enum, and these were better than the original
proof of concept, but they were missing key features.
He was using an Arduino for the platform.
Which limited things to either 3.3 volts or 5 volts.
Code left much to be desired.
They didn't have input protection.
And just a bunch of stuff on there that I saw, and I was like, okay, well, I want to
build a tool that I can actually recommend to people and feel good about having them
connect up to stuff.
Because if you don't have that protection, if you don't have certain things in there,
you could fry your target port, and that's not really a good idea.
And then Cyber Fast Track, which is a really cool program.
I had submitted, so once I did all this research, I wrote like this whole, you know, proposal
for Cyber Fast Track.
I was like, this is awesome.
You know, all my friends are doing this.
I'm doing CFT.
I want to do CFT and get paid to develop JTAGulator.
Like, that would be totally awesome.
But it didn't actually work out that way.
They said, oh, too much engineering.
Sorry, not enough research.
And at that point, I had already done all of the work to get to that point.
I wrote the proposal and the studying of JTAG and everything.
And I'm like, forget it.
I'm going to do it anyway.
And then just, you know, get it out there anyway and not get paid while I do it.
And that's fine.
So this is the result of all of that effort.
There's a bunch of other work as well.
So Travis Goodspeed's GoodFet that was originally like this kind of open JTAG debugger, some
black box reverse engineering that Felix Domka did a few years ago, which is basically, as
you'll see when we go through this, trying to brute force undocumented JTAG commands,
whereas we're taking advantage of things that are existing.
He's looking for other stuff, which is kind of interesting.
And then there's a really cool paper from NFI, from the Netherlands Forensic Institute,
about this sort of JTAG discovery, but in a different way.
So first we have to identify interfaces before we even try to hook up JTAGulator to it.
External interfaces are things that we don't even have to open up the product to look for.
So they're accessible to the outside world.
Usually they're intended for engineers or manufacturers, not for end users.
So you'll see them hidden under batteries or under stickers or covers or something on the back of the device
or somewhere on the device.
And usually it's used for system programming, final system tests, something like that.
Maybe it's a proprietary.
So if you look up there, we see there's like a Garmin GPS.
I think that's a serial interface in this example.
An RSA secure ID token with five pins on there.
They had once told me, oh, that's only for programming the device.
I don't know if that's true or not.
I guess it doesn't matter anymore.
But it's a good picture.
And then the other one is from the Jawbone Up, that wristband accelerometer with the cap removed.
So those of you guys that have it, there's a button on the end that you can push to do something with.
If you take that.
Cap off, you see the buttons in the center, and then there's four posts on the on those corners.
And that's some sort of final programming interface.
So if you can discover the interface, then you have to figure out what to do with it.
But those are external interfaces, internal interfaces.
If you get access to the circuit board, which is really part of that hardware hacking process, sometimes you do need to get physical access.
Sometimes you do need to get to the circuit board.
That's not a big deal.
That's the excuse that vendors say is all they have to have physical access.
That's just a total fallacy.
There's lots of ways you can get physical access to things.
So you look for things like test points, unpopulated component pads, silkscreen markings might give you some information about, you know, here's some interesting test points, or here's the name of the interface.
Engineers like to put things on circuit boards that make their job easier and that make the assembly facilities job easier.
So we can take advantage of all of that stuff.
Usually debug interfaces are going to be in like an easy access location.
So if you look on the picture on the right, that is a very obvious interface.
There's four gigantic.
There's four gigantic holes there, four gigantic pads, test points, and I don't know if you can see, but on the silkscreen it says VBAT, ground, I2C, clock, and I2C data.
So we know right away, okay, that's an I2C interface, interchip communication, bus.
We know that.
We don't need a JTAGulator.
We can hook up a bus pirate or a logic analyzer or an oscilloscope or whatever, start capturing communication.
That's no big deal.
The engineer was nice and made that very obvious for us.
The one on the right, that's one of the BlackBerry devices.
In that case, there's these, you know, there's kind of.
Test points sprinkled all over the place, but then there's very obvious grouping of some test points.
So I would look at that and say, okay, that's probably some sort of interface.
Usually connections or signals that perform a similar function are all together.
So a bus would all be there.
So that's probably a debug interface.
It is.
It's JTAG.
Sometimes it gets even easier.
So these examples are, one is from the Xbox on the right.
The one on the left is from Barnaby Jack's ATM talk from a few years ago.
And in those cases, you see nice silkscreen markings.
It goes around the whole thing and on the left, in Barnaby's case, that was a Windows CE-based platform in the ATM.
He opened it up and saw the JTAG interface right there using an industry standard interface.
It said JTAG.
He just got his off-the-shelf tools, plugged it right in and started his pwnage.
So, you know, no, basically no hardware reverse engineering necessary at that point.
So we can take advantage of that.
JTAG test.com has a list of common pinouts that people use.
And if you encounter that, you don't need a tool.
Like JTAG, you just plug in.
It's a little bit harder if there's no, you know, obvious markings.
But in this case, we can take advantage of the groupings of traces.
So that picture on the left are six test points and see all the traces are going down together.
That's probably some sort of interface.
It's right on the edge of the board.
Very easy to access.
That would be a target interface for us.
You can also take into account the location of resistor arrays or pull-ups or pull-downs on different bus lines.
Because those are normally used to set the signal.
So that's a static state of some sort of interface.
So if we see a grouping like that, like a resistor array right next to a connector, it's like, okay, that connector is probably some sort of bus that needs pull-ups or pull-downs.
That's a target.
Let's take a look.
Things get a little bit harder when there are no obvious test points.
So things like this where we have just four unpopulated component pads in place of a connector or in place of test points.
So this is a Buffalo wireless access point.
Trying to be sneaky.
So they have these unpopulated R24, R29, 315, 316.
So they're trying to obfuscate the interface.
But as soon as you discover what those are, and those red markings obviously are the pinouts for JTAG.
As soon as you discover what that pinout is, then you win.
It's not going to change device to device.
For that particular device, now you know.
So security through security doesn't work.
We say that all the time, and it's true.
If you do discover an on-chip debug interface, or what you think might be an interface, or test points,
currently you have to manually determine pin function.
So you look at a grouping, like that grouping of BlackBerry pins, and you're like, okay, crap, what am I going to do?
You can first try to use your oscilloscope and see what's going on.
But actually what I like to do first is try to see if I can trace the signals back to a microcontroller or to some sort of device.
So I'll either visually look, I'll use continuity test if I can with a multimeter.
If it's a BGA part, a ball grid array.
If it's an X-ray part, that's going to get a lot harder, right?
Because you can't access the balls underneath the part.
So probing only gets you so far.
You could use X-ray if you have access to X-ray equipment, which is becoming more common.
But still, you know, you don't really have one at your house, I hope.
Yeah, some people do.
I'm not going to ask for what.
And then you can identify the parts that are the target components, look up the data sheet, find the pinouts of what those parts are, see if they trace out anywhere.
That's sort of the standard manual process.
It's fine for certain.
It's totally valid.
But for other devices like highly integrated mobile phones and stuff, it's just not even a possibility.
Then you can start probing the connections, use your scope, use your logic analyzer, see how the states of those pins change as you pull the other pins high or low.
Lots of permutations, just a total pain in the ass.
And I'll show you why the JTAGulator is better.
But not yet.
So I'm going to go into some details of JTAG and of UART, of asynchronous serialization.
Just to get an idea of how all the kind of technology works.
And then it will make sense when we start to essentially brute force the connections.
You'll understand.
It makes total sense.
So JTAG is one of these interfaces.
It's an industry standard interface.
And it basically, the IEEE 1149.1 standard basically defines like this low level finite state machine and like very low level functionality.
So usually what you see is the...
The vendor might add extra functionality or might abstract all of that low level stuff.
But for our purposes, we don't care what happens at a higher level with what the vendor does.
We want to communicate directly with the chip to figure out the pin out.
That's the only goal.
So the beauty of JTAG as opposed to a lot of the other types of on chip debug interfaces that you see that are more vendor specific is that we can access every single individual pin on the device.
So we can send data out.
We can read data in on every single pin.
That's what allows when you do like flash updates through JTAG port.
Because we control the main CPU and we're basically treating it as a puppet.
And now we can communicate with everything that that thing is connected to.
So we can program devices.
We can do debug and essentially use standard development tools to now communicate with these parts.
As opposed to some of the other interfaces as well, which is why JTAG is so popular.
You can chain connections together, chain devices together.
So you can have a single interface, but then you can have like two or three parts on the board.
That you can communicate with through that single interface or even multiple dies within the same part.
So you might have a CPU, memory, and like a crypto coprocessor or a codec or whatever.
All in the same package, but now you can still individually through JTAG communicate with each of those parts.
Because JTAG ends up being a gigantic shift register of varying lengths once you figure that out.
And I'll talk about that.
And the vendor, again, will abstract all of that low level stuff.
And we don't really care.
Once we know the pin out.
We can then load legitimate development tools that the vendor makes or some of the open source stuff that's out there.
And then start our attack process.
JTAG is a synchronous serial interface, which means it's a serial interface with input and output.
And then we need a clock to align itself to synchronize that data flow.
So we have TDI, which is data in.
We have data out.
Test mode select and clock.
Mode select is what we use to change state.
I love the system.
And I'll show you a diagram on the next few slides.
Change state of that system to basically change function or to shift data in or to load an address or load an instruction.
I basically think of JTAG as like a tiny little CPU that you can just send like very finite number of commands to.
Then you also have test reset, which is an optional pin.
So sometimes you see it on board.
Sometimes you don't.
All it's used for is to reset the tap, which is the test access port, asynchronously.
You can also do it by holding TMS high.
And clocking five cycles, which is what we do.
So you don't really need the external test reset pin.
So we don't look for that because we don't care about it.
So we have the tap, which is the state machine and has different shift registers that we can take advantage of.
So the first one is the instruction register.
So this is where you would load in a low level JTAG instruction.
It has to be greater than two bits wide.
That's just per the spec.
Usually it's like an eight bit instruction or 16 bit instruction.
And then for data registers.
You have a bypass register, which we're going to take advantage of.
That's just a one bit register where you shift data in and one clock cycle later you get data out.
That's what you can use to bypass one chip and get to another chip in the chain.
Then you have boundary scan.
That's going to be the definition of how you access every single pin.
So you know like the length of the of the register that it needs to be and that's going to be defined on how many pins the part has.
But so the boundary scan you shift data into this gigantic register and then you can latch everything at once.
And then the device ID, which we also take advantage of for a different type of scan is a 32 bit register.
It's optional, so it's not required in the spec, but pretty much every device out there will have a device ID.
But I wanted to make it another way to test in case the device didn't have a device ID.
We can still do it with a bypass scan.
Here's just a quick little view of the inside of the kind of JTAG kind of high level JTAG view.
You have the bound.
The core logic.
In the center of the chip and then the BSC cells that are attached to each of those I opens that's the boundary scan cell so that will control inputs and outputs, which is totally crazy to just be able to control a chip like that.
It's really cool.
Then you have your data register instruction register and depending on what you shift in and depending on what state you're in defines which register is going to be shifted out on on on the TDO line.
So here's the top controller.
This is the state machine.
It looks a little bit confusing sort of like spaghetti, but it's.
It's it's very simple you're either shifting into.
Work with the data register or you're shifting into work with the instruction register once you do that, then you just load data into either one and then you latch it and then you can exit and then you can shift data out so it's very it's it's not as complicated as it seems and I'd read through all of the.
The I triple E standards and like they make the stuff so boring and so complicated, but it doesn't have to be.
And I think that's just one of those things it's like why I don't know if they like people just write this stuff to look smart and then it's our job to like distill.
It and make it not smart right, so this this stuff is not as complicated as it looks and again we don't care about anything above this level this low level, so these are the the the J tag instructions that are available, I don't know how well you can see that slide.
There's three required commands and then a bunch of optional once everything else all the debug functionality that might be available on a part anything else that vendor specific is all at a higher level at a lower level to shifting things in its calling commands it's shifting stuff.
Out of the various data registers.
Maybe they add extra data registers for you know other memory locations are for debug stuff or command to read memory or write memory it's all vendor specific at that point the things we take advantage of or the bypass command.
Which is going to shift data in and out and then the ID code command.
If you do this enough you will run into J tag implementations that do have some sort of protection.
But like anything else, most people don't use protection.
Right.
It's pretty safe to say.
Especially at DEF CON.
But you do run into it once in a while people people vendors are are are aware of what's going on, but making changes in silicon is really hard right so even if a vendor knows about J tag and they try to do some sort of password protection or whatever it's a big change for them to do that and they're gonna have to update everything else from that point that uses J tag.
What what what you might see.
Are physical security fuses that are blown on the chip itself to prevent J tag access from happening at all of course once you do that in the vendor can't use it as well so it's a kind of risky maneuver you might be able to do silicon die attack sort of like what Chris Tarnowski does a car signal to physically repair that fuse and then get into the device through J tag.
Some devices have some sort of password protection.
Usually if there is a password it will still enable bypass mode so we can still use it to determine the interface.
But then at that point we have to figure out how do we bypass that password protection.
There is one one case I've heard of maybe maybe more but that here's one example of a device that had flat internal flash memory that would erase after some amount of invalid.
Password attempts but it wasn't keeping track of the password attempts between power cycles so it was in some sort of volatile memories volatile memory somewhere so you could just figure out what that upper limit is and then just do some number of password brute forcing.
Reset the device.
And do more.
Once you do find the J tag interface you can use a bunch of available hardware tools.
H J tag riff box there's lots of stuff out there again we only care about finding the interface and then you use tools that are actually designed to use J tag in a in a in a higher level because there's no point in recreating the wheel to do these things and then you can use some of the open source software stuff as well.
So that's J tag.
You are it's a little bit simple.
Right we've all use some sort of serial interface of some sort you are it's a it's an asynchronous serial.
Communications method so there's no external clock all of the bits are sort of determined by time so if we have that time right then the data bits will line up.
So you have like start start bit data bit parity stop bit J tag you later is just checking eight and one for you are because that's kind of that's the most standard.
You are an interface and even if you have like seven you one which is also common we would see that with eight and one and then we would just have to fiddle with the settings you know in terminal program or something like that.
Yes it's asynchronous we only we're only looking at two lines were looking for T X and R X so we're going to send data to the device and we're going to look for a response on all of the other pins and will change through all the different permutations of that all the control signals that are used that were sort of for legacy types of equipment modems and teletypes or whatever we're not looking at those.
Because we normally don't need those.
Is a screenshot of the you are just showing the data communications I have digital decoding functionality on my scope so I can actually see the data being transferred.
And then to determine the the the moderate so say you do discover the interface but the moderate isn't quite lining up you could just measure the smallest bit time the bit with do one over that and you'll have the moderate so in this case it's eight point seven microseconds so it's around one hundred and fifteen point two kilobits per second.
All right so a little bit of hardware about jay tag you later.
As with lots of stuff that I design I want to be open source I want to be hackable I want people to use it I don't want it to be over complicated I don't want to try to show off how you know smart I can be.
Because I'm not that smart.
But I wanted something that you guys can use that's the whole point so I have a simple command base interface everything is is done through the USB port to a host and I'll give you a demo of that.
But has.
Proper input protection so we can hook up to a device we don't know what we're connecting to right we're just looking at a board.
We don't know if we're connecting to proper voltage levels that are going to you know work with our part so we have input protection we have adjustable target voltage so we can match the target voltage of the target device so we're not accidentally damaging that device as we're saying sending signals to it.
All components off the shelf again from did you key and you could hand solder these boards if you want.
I soldered four of them and I'm like forget I'm done.
I'm let parallel.
Do it from now on.
So block diagram.
Is we have a propeller parallax propeller.
Device in the center which is a great tool for hacking with as you'll see.
We have a standard f t d i f t two thirty two usb to serial interface that's going to power the device and that's going to provide power through usb and also provide our programming interface and our command interface.
I'm using a d to a as I'm actually using an op amp and a filter as a d to a to generate the target.
Voltage so one point two to three point three and I'll go through details of each of these parts.
And then voltage level translators to translate our our voltages and some power stuff.
Here's the board.
Figure it had to be pink with like a heavy metal jay tag you later logo someone's clapping they like pink I like pink too yeah.
What better contrast right.
So I don't know it was fun.
But here's the basic basic setup.
And so there's twenty four channels either.
Through screw terminals or through the two by five headers which are compatible with the bus pirate probes so you can just plug in to the plug into the headers and you'll have little mini clips that you can use.
So depending on what your interface is you could use either one.
So the propeller is the core of the system for those of you guys that aren't familiar it's a it's a device because completely built from the ground up by parallax.
Meant to be a device that's fun to work with and kind of fun to hack on and fun to develop with chip Gracie the guy that designed it grew up with sixty five oh two and hacking the eighty and early pick devices and he's a you know hardware hacker to the core and he was just kind of tired of all the restrictions of different types of tools and NDAs and all this crap so he's like I'm gonna build my own so it's a great hacker tool it has eight independent cores which are called cogs and sort of some time slicing of that you can code your own code.
It in spin which is what I'm using assembly or see there are a bunch of a bunch of new tools being developed that are cross platform tools.
For now you can do PC and Mac at least with spin and the open source spin tool should be coming out soon.
If you guys were here last year DEF CON twenty right you guys have DEF CON twenty badges yeah OK those are all propeller processors so in theory you could load the J tag you later code onto your badge and connect up to stuff.
But you don't have the input protection and voltage you know target voltage settings but you could if you wanted to.
The other cool thing about the propeller is is like some of these other hobbyist platforms as law huge amount of code sharing so parallax has the object exchange we can grab things it's like I want to do you know DDA grab that code I want to do debug interface to serial grab that and you can put stuff up there as well so it's really kind of cool hacker developer community.
We're running eighty megahertz which leaves lots of possibilities.
For not only detecting interfaces which is what we're doing but also generating all sorts of different things to go further with devices if you wanted to.
The prop has thirty two K of thirty two K of RAM bootloaders and ROM and then each cog has two K so there's just a yeah it's a it's a good part.
Of course you can look into more detail if you want.
You have to be interface I mentioned the standard.
Ft di part.
So work it will just recognize virtual see report on any sort of machines or any machine you have there recognizes this virtual comport you can start communicating.
With J tag you later I have a M I see twenty twenty five that's this distribution switch because according to the usb spec you're not just supposed to plug in a device into usb and just letting go to town right away.
During a new ration you're supposed to just.
Record you're only given one hundred million by the host and then you're supposed to enumerate and then request more for the rest of your system so we're doing is we're only enabling the fd di part once the host comes back and says OK you're enumerated you're ready to go then we enable the rest of the system.
That's a safe way to do it so we're not damaging any usb ports.
Target voltage pwm output from one of the pins on the prop and the duty cycle is going to determine what the output voltage is and I have a little RC filter and an op amp very simple implementation of a of a dda and I have a look up table that's actually defines the duty cycles for each voltage level in point one volt increments so you know we can be very fine in our in our output voltage and I pick the.
Eighty eighty sixty five because it has a high output current on that on that one output single single supply and that one output so we can get about a hundred and fifty million output through the through that part for our voltage range.
That way we maybe we need to use the adjustable target voltage which there's a break out on here it's the v a d j line if we want to use that to maybe power something on the target board or maybe do some extra circuitry with you know whatever we need to do a hundred and fifty million is a pretty decent amount.
Level translation I'm using the.
Txs oh one oh eight which are bidirectional level translators which will convert our three point three volt signals which are coming from the propeller to our v a v a d j level our our adjustable voltage level so one point two to three point three output.
And then it has this this high impedance state if we disable the output enable line so we can connect all of our divide all of our test points up while the thing is not driving the lines at all so we don't cause some something to happen when we're not ready for you know ready to start our our search.
And then the input protection.
Which we which we need that's because we don't know what we're connecting to so we have dialed limiter clamps in there that are going to clamp to some level of negative voltage and some level of high voltage and also we have a current limiting resistor in there for each channel we have this set up.
So as long as our forward voltage for these diodes that we're using are less than half a volt which they are then we're going to.
Limit ourselves to the.
Adjustable voltage plus forward voltage and adjust and minus forward voltage that's our that's our limit so we're not going to damage any other any other of our pins with unknown input.
Voltages.
Bill of materials there's quite a few parts but none of them are really that expensive so again everything from did you key that the bill materials is online around fifty one dollars in single quantity if you feel like building your own.
So that's the hardware design pretty straightforward and the good thing is the hardware is never really going to need to change maybe we want to develop some like plug in module to do higher voltages for skater equipment or industrial equipment or something but the core.
Hardware doesn't change the firmware can change as we add more functionality as people start hacking on stuff we can add things in.
So here's the current source tree I have the main object file these spin files are the individual modules just to keep things modular so if we add in say we do a microchip.
I see SP interface we can add that as a separate file and link that in sort of like you know.
C files are each header file whatever.
You get it.
So the main files to tag you later and then we have the serial terminal parallax serial terminal which is our which is the user interface.
Real random is a pseudo random number generator that we're using for the bypass scan which I'll show prop J tag is all of the low level J tag routines and then the JD cog serial is something I grabbed from the object exchange that is another you aren't interface and I can just.
You'll pop that into whatever cog I want and that's going to be the interface that's doing the art detection.
So for actual functionality I'll go through a few of the I'll go through the ways that were scanning and then I'll give you a demo.
The ID code scan is the first thing that we can do and this is assuming that the device actually supports ID code supports the device ID this 32 bit device ID if it's available on reset is going to be in the data register so all we have to do is enter the shift data register state and just send.
A clock and if there is a device ID it's going to come out.
On the TDO line we don't need to send any data in so that's going to speed up our search because now we're only looking for three pins instead of four pins for our various.
You know permutations.
If we do get a device ID if we get a valid one or a one that we think might be valid we can validate that by checking data sheets or BSDL files which are boundary scan files that are going to define the entire internal structure of the part you can find a lot of that stuff with development tool J legitimate development tools open source tools will list some of the stuff maybe look at reference code.
To make sure that the device ID you get is the correct one.
If it is then you know you have the interface.
You can also just verify like the manufacturer ID which is a specific code assigned by J deck which is a standard you can go to that website grab the actual document for free and then you compare when you get your device ID back from the device you can go OK make sure it's a you know analog devices part or broadcom part or qualcomm part whatever it is to see if that data is actually correct.
So the way the scan works is going to ask us for the number of channels to use.
And then it's for every possible pin permutation it's just going to go through try to get the device ID if it reads all ones or if the final if bit zero is not one then we're going to ignore it.
But if we get something with a with a bit zero of.
If we get if bit zero does not yet if it's your does not equal one we ignore it if it does equal one then it's potentially a good device ID we don't fully know so there is still some human interaction but usually you're not going to get lots of hopefully you're not going to get lots of false positives.
So that's ID code scan bypass scan.
Is what we can use to actually get TDI as well because now we need to shift data in and compare it to data coming out.
So bypass scan just takes data one clock cycle delayed as you can see on the scope screen shot here.
So by doing bypass we can also figure out how many devices there are in the chain.
Which is called blind interrogation.
All we're doing is basically first we need to force all devices in the bypass and on that instruction sheet bypass mode you can enter in by by sending a command of all ones but we don't know the instruction register length right because it's sort of a black box so we just send in a shitload of ones and kind of flush flush the entire device we do a thousand twenty four ones because we don't know how many devices are there we don't know how many instruction registers there are so we send a ton of ones then we assume we're in bypass mode then we load in a bunch of ones.
So the data register.
Flush everything full of ones and then we send a single zero cascade it through until we see it on the output once we do then we know okay great and we can figure out the number of devices as well.
So bypass scan does exactly what I mentioned just with every different pin permutation.
So then you aren't scan now we're looking at the you aren't interface is it is kind of cool because normally you can so so you can.
Actually send any output string you want so normally you know if you connect up to interface you hit carat return to see if you get a response.
With old you know if you want to hang up on a modem or whatever you do plus plus plus or you know what everyone do maybe escape key you can tell J tag you later what users when you want to send out on what it thinks of the TX line and it's going to look on the RX line to see if it gets anything back.
So it's going to try all different baud rates.
And basically wait twenty milliseconds.
To see if it receives a bite back and if it doesn't then it's going to move on to the next thing and twenty milliseconds is pretty low.
In in computer time anyway.
If there is a valid response is going to display sixteen bites of data so we can kind of quickly go through and see if there's any human readable stuff or something that makes sense for what we're looking at.
Doing it in one here's the the bar is that are stored in look up table these are all the standard bar rates if you do encounter something maybe you you find out the pin up but you don't know all of the you know you're not seeing data that makes sense like I mentioned earlier use your scope figure out the bar rate load into a terminal program and see if that helps at all.
If it's some sort of nonstandard bar rate.
Here's some timings this stuff happens pretty fast.
I decode scan since we're ignoring TDI it's only three possible pins that we need so number permutations go go down and it's pretty fast it's two hundred sixty four permutations a second bypass mode we have that extra pin that TDI pin and because we have to flush so many ones through there it takes a little bit longer so it just happens to be.
Thirteen point three seven.
Permutation.
Is totally leap.
And you can see like you know most the time it's like you know two seconds five seconds.
Third or thirteen seconds.
For I decode scan at the max it's forty six seconds for all twenty four channels once you know that usually I do I get I decode scan first to make sure there's a J tag interface there and if there is then I go to the bypass mode the bypass scan to get that extra pin because it takes a little bit longer so maximum time though twenty four channels five hours.
Big deal you just take a really long lunch break and come back and you're good.
And then you are ends up being twenty four bar rates for permutation so it ends up being about one permutation a second.
Ten minutes for twenty four channels.
All right there's some demos.
Let's see let me bring up my.
Cool term which is what I'm using.
On my Mac.
How's that look up there.
Is that nice.
And big.
Good OK.
So let's see I'm already.
Connected so I have my jet my jet tag later plugged in through many USB and I believe I'm already connected so if I hit enter yeah.
You guys see that response.
Question mark invalid command so I get the colon sign that tells me.
That.
That I.
Tell me the command prompt so here we go here's a list type eight year list of commands we're going to do see what I have hooked up first first I actually have you aren't hooked up because I wanted to get everything set up.
Before the talk so I have.
A bunch of.
Connections from the jet agilator onto a linksys WRT fifty four G.
Version.
Two.
That has the DDW RT on it already so I just have a bunch of these like.
Little individual female to female leads connected up from the jet agilator to that.
So if we go ahead first thing we need to do is set the target voltage.
I think I already did this.
Yeah so.
I'll do it again just for fun set the target voltage.
Three point three volts now target voltage is set.
Then let's go ahead and do identify you are pin out.
Will do carriage return is just the standard.
Number of channels I have.
One.
Two three four channels.
Four wires set up onto this.
Port of the of the links device and pretend I don't know what it is.
But I just arbitrarily connected things I know that there's you aren't there.
I tested it.
But I don't know which pin is which.
So four channels it's going to be twelve possible permutations reminds you use.
Channel zero through three.
And we'll hit spacebar to jay tag you late.
Hopefully something will come up.
Because a bunch of stuff came up.
See if there's anything else.
OK you are scan complete so much of stuff came up you can see the tx and rx lines are all the same.
One in three.
That's a good sign that means something's there that means when we send a carriage return on pin one on channel one we're getting a response on channel three.
But the jay tag.
You that are can't figure out what the data is because it doesn't know what the data should be.
Right if we have some interface maybe it is a maybe it is a.
Some sort of debug interface but maybe it's not asking maybe it's something else maybe it's some binary thing that we need to decode so it lists everything there but we can go through manually and say OK.
Tell me when you guys see something that might be like a useful.
Character let's see you keep going here.
Yeah fifty seven six has a zero d.
Which is what a line feeder character turn or something.
Then you see this one has a carriage return and line feed.
So now we can test both of those and see which one it is.
To save time I'm just going to do this one.
OK so remember it's transmit is been one receives been three and it's under fifteen point two K.
Now we can do we think we know that you are now we can do a pass through mode where we can say tx is pin one.
Rx is pin three.
Bauder eight.
Two hundred.
And do that now we're in your past.
So now we're just using the prop that the g tag later as a pass through so now we should be able to just communicate directly.
With the with the dvd wrt.
Yeah thanks so here we are and we're you know in the in the shell and stuff so that's cool because it saves you the trouble of disconnecting everything putting in your own usb to serial adapter and stuff so that's when we're done we can just hit control x.
Now we're back in in j tag you later side.
OK.
So I'm going to.
Disconnect.
Don't you know what I'm gonna do first disconnect target voltage set it back to zero so I don't fry anything as I'm taking these off the take off all these pins.
Now we'll do the j tag detection.
I'll do it with the deaf con seventeen badge you guys remember that.
Yeah like two people OK great.
That's good enough.
OK three people.
OK so the deaf con seventeen badge had a had a free scale m c fifty six f eight thousand six does a digital signal controller.
That just happened to have j tag on it.
And I'd broken out the different pins as test points on the board that we were using during the badge hacking contest you could reprogram the device and everything because they would constantly get bricked when people are trying to write code for them.
So doing development I just took all those test points wired it up to a connector so I can connect it up to here and give the demo but in real life you wouldn't have a connector there right you just solder wires on or something.
Some plug this in.
All right so now it's plugged into the j tag you later.
Let's see I have to set my target voltage if I don't.
And I try to do identify j tag it should tell me.
I need to set the target voltage first this is a three three volt system.
Target voltage is set so now let's do the ID code scan first that's going to be the fast way.
We have four channels.
Twenty four possible permutations and will j tag you late.
Failure good just what I like.
Let's see what I screwed up.
I don't know.
Well let's see let's try bypass scan screw it.
Bypass scan takes longer not long enough for me to actually try to debug this thing.
All right how much time do we have.
Good enough time for me to plug it in a different way.
Oh you know what did my ground pin fall off.
Too much demo.
Too much demo not enough time.
As much time as I want OK.
Thanks.
Nothing after me good OK.
So we'll see.
So ground goes to ground.
So now I'm just arbitrarily plugging stuff in I'm going to do on this connected ground goes to ground.
Now I'm just plugging in I don't care which pins they go to.
On here.
So channel zero through three.
All right let's see if I get lucky who knows if not I'll have to reboot.
Reboot the j tag you later how lame is that OK.
Target voltage set.
Identify pin outs.
For pins.
Fuck.
OK re reset.
Oh that type thirty that's fine it will it will go to three point oh.
That's the easy way to do it.
Yeah OK so a bug in the firmware great when you go from your mode to j tag mode anyway I'll fix that.
Now we have a response right we have TDI we don't know TDO is pin three TCK is pin two TMS is pin one.
Let's go ahead and try to find.
TDI ready for channels again twenty four permutations takes a little slightly longer one one device detected and there's our j tag.
Joy you can clap OK.
So now we can do is now that we know that pin out what was it I forget.
Zero three two one zero three two one.
Oops.
I messed that up.
Yeah OK.
Yeah so I decode we only need the three so we need three two and one three two one one device in the chain and there's our ID code that zero one.
See zero six whatever.
It corresponds to this free scale part you can look it up.
And then let's do the final one which is the testing bypass so that's zero three two one.
One device in the chain.
And then pattern in matches the pattern out so there we go now we pretty pretty sure we can do it you know do it again and get different pattern.
So.
Yeah now we know that's the J tag interface now we can go in and hack with it.
That's our demo.
OK so like everything there's limitations to the tool like having to press reset.
The first thing you could possibly cause the target to do some sort of unintended thing as you're like fuzzing all these test points that you don't know what they are but that's.
Somewhat of a limitation but also it could be useful if you're hacked on a device and you don't know if you somehow cause it to like do something unintended that might be useful.
Maybe the the OCD interface isn't enabled maybe it's some sort of if it's password protection or if it requires some sort and reset sequence we can we might not be able to detect it.
Vendors try to be sneaky by cutting traces.
Leaving out jumpers on on connections to try to prevent somebody from using it so we'd have to do a little more reverse engineering to find that first or maybe there just is no on chip debug interface.
Future work we want to add all sorts of stuff.
We've got a lot of support for other stuff which hopefully will happen you know as as needed as somebody says I need to discover spy by wire on TI then you know I can write a module or someone will write a module to do it there's lots of possibilities for this type of tool it's basically like a general purpose propeller development tool with lots of IO that you can do for stuff we do have a few more available at the hacker warehouse at the DEF CON vendor area all the stuff is available on the Hacker Warehouse website.
On the tag later dot com which goes to my website Parallax is selling assembled units and bear boards and if they run out of stock they're going to make more so be able to get it.
OK so final thing I've been dying to read this poem that I went up to this guy that just writes random poems in San Francisco and I said I developed a tool called the J tag you later and explained what it was and he looked at me for a second and he wrote this poem so I don't know maybe you can make some sense of it but I'll just read it OK let's see.
To take an object.
From made to modified customized interfaces between past and few truths can maintain their veneer in the face of signal feedbacks size of diamond screwdriver doesn't fit circuit exit enter the drag net on all sides caught with tools debugging as form of how to gain access to what you have but can't quite double blind verify ascertain make salient discoveries about how like electricity keeps its secrets from anything that's.
Not luckily everything electric is J tag you later take apart a ball of and find the particles that can't be broken into.
There we go the end.
Thank you.
